[SOLVED] Hi everyone, I’m currently migrating from in-house auth to kratos. I am looking for a way for privileged code to create a valid session on behalf of a particular user, something like

POST /admin/sessions

Why do I want this? We have a partner who needs single sign on with a custom protocol (similar to, but not oidc.) We have a lambda that implements the protocol, verifies the user’s identity, fetches their profile from the partner and creates an account for them. But if they already have an account we would like to create a session for them instead. We have considered things like faking a

code

login flow on their behalf, but that seems like a very ugly hack. The partner are unwilling to implement oidc for their own reasons. I’ve searched github discussion but have only found creating sessions discussed in the context of testing, I haven’t seen anything about creating ory sessions outside of a

LoginFlow

in production. Thanks everyone!

Hello @dazzling-nightfall-42114 Have you seen the "invite" flow: https://www.ory.sh/docs/kratos/manage-identities/invite-users it is basically the recovery flow but the outcome is I think what you are looking for - an email with a code/link that gives the user a valid session.

Thanks for the reply, I apologise if my question was not clear. I am happy with the process to create an account based on the profile information we get from our partner. What I am stuck on is creating a session for an existing user. The idea goes like this: 1. User logs into our partner’s website 2. User clicks a link to our website which passes an identity token to us (aws lambda running in privileged environment). 3. We verify the identity token with the partner and thus get the user’s profile. 4. We create an ory kratos session for the user (who already has an account with us, verified from the profile information we just fetched) and send the session cookie to the user. 5. User is now logged in to kratos and can use our services like any other user. Step 4 is where I am stuck, since it seems (?) it’s only possible to create a session via a Login Flow and there seems (?) to be no way to run a Login Flow on behalf of a user. We would like to avoid having to email the user a link, or have them enter their password, since they have already authenticated with our partner. Obviously oidc would be a good match here, and we are using that for other partners, but in this case we can’t use oidc.

Hello @dazzling-nightfall-42114 You cant create sessions on behalf of someone else and send them around, it would be very unsafe to have this capability in the system - this would mean you could just "steal" someones session if you get access to the cookie. You can do this via OIDC as you mentioned, but again this is very unsafe to implement in general. So I would strongly recommend to have some user interaction to log into your service - it might be a bit more inconvenient for the user, but then again you also don't run the risk of them losing their account / personal data etc.

Hmm, I thought that would be the answer, thanks for clarifying. Someone with access to the admin API can generate a recovery code for any user via

POST /admin/recovery/code

, which they can use (after a few steps) to get a session for any user, so it doesn’t seem like preventing the admin API from creating sessions changes who can do what. But I understand that you don’t want to encourage sending cookies around. Really appreciate your help Vincent, I’ll go back to our partner and explain that Ory strongly recommend adding a user interaction (we will probably use a

code

login). All the best!

Sure let me know how it goes @dazzling-nightfall-42114 If it is a no-go we can look at other options as well